We have been seeing very high CPU util values which reaches the top (result of "sh processes cpu history " copied below). which were reaching only to 40-50% a few months ago.
This is a router which has an ATM port with a connection of 16Mbps towards internet, and inside the ethernet port is connected to our
6500 switch with 2500 PCs throughout the campus.
Is there anything I can do about this except replacing the router with a more powerful one ?
What kind of config are you running? This utilization seems high, but need to know if its getting the full internet table, and are you running NAT, etc?
Current configuration : 22455 bytes ! version 12.4 service timestamps debug datetime localtime service timestamps log datetime localtime no service password-encryption ! hostname xxxxx ! boot-start-marker boot system flash c3825-advipservicesk9-mz.124-10b.bin boot-end-marker ! logging buffered 51200 warnings no logging console enable secret xxxxxxxxxxxxx ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login sdm_vpn_xauth_ml_2 local aaa authentication login sdm_vpn_xauth_ml_3 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_group_ml_2 local aaa authorization network sdm_vpn_group_ml_3 local ! aaa session-id common clock timezone GMT 2 no ip source-route ip cef ! ! ! ! ip domain name domain.com ip name-server 10.0.0.9 ip name-server 10.0.0.46 ip inspect max-incomplete high 1600 ip inspect max-incomplete low 1200 ip inspect one-minute high 2000000000 ip inspect one-minute low 1000000000 ip inspect name firewall cuseeme timeout 3600 ip inspect name firewall ftp timeout 3600 ip inspect name firewall rcmd timeout 3600 ip inspect name firewall realaudio timeout 3600 ip inspect name firewall tftp timeout 30 ip inspect name firewall tcp timeout 3600 ip inspect name firewall udp timeout 15 ip ips sdf location flash://256MB.sdf ip ips notify SDEE ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! !
^C ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class management in transport input ssh line vty 5 15 access-class management in transport input ssh ! scheduler allocate 20000 1000 ntp clock-period 17179448 ntp server real-ip ! end
Do it when its high, and focus on the heavy hitters. If its NAT and other processor intensive processes, plus the full bgp routing table (although I only see a default route so this may be a moot point), then you may have just exhausted the processor on this smaller router. A 3800 should handle the internet portion with no problem, but never used them for NAT, etc. The show proc cpu should help determine the issue. If this is the case, I would look for any potential config issues (which guys/gals on here should be able to help point out), and if there are none, then you may just need more horsepower. Hope this helps.
Your problem in a nutshell is that you are running IOS Firewall, NAT and a high speed ATM interface on a low-end router. If your interface wasn't ATM, you would probably be OK, but ATM in this case is killing the router. The problem is that ATM uses cells and the IP packets need to reassembled into packets before they can be inspected and NAT performed. If this were a packet interface, most of this processing would happen in hardware and you be much better off. You didn't supply a "show ver" or a "show interface" but from the "show proc" you see that "IP Input" 20% and "Inspect" 6% are pretty high. If you add up all the numbers you only get to about 27% so the rest of the CPU is being eaten up by hardware interrupt processing. Because the input interface is ATM, NAT and the packet inspection are being performed in software. Another good command is "show ip interface" which would show how many packets are being CEF switched, which in this case I would bet is pretty low. I would think that an ATM AIM card would help you out quite a bit here, since this module will offload the ATM processing.
Yes, it makes better sense to move these functions to a firewall. The firewall in IOS is not as robust, or flexible as a firewall device. If your perfectly happy with firewall functionality in IOS, then the AIM-ATM should fix the CPU issues you have, because the cell assembly/disassembly is done in hardware on the AIM. Another approach is to use a 7200VXR series, or a
7300 series router and on those devices the ATM interfaces also do cell assembly/disassembly in hardware.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.